ClawHub

Google Vertex AI Memory Bank

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate cloud memory setup skill, but it needs review because it enables persistent automatic cloud memory and installs unpinned remote code.

Install only if you intentionally want Google Vertex AI-backed long-term memory for OpenClaw. Use a dedicated least-privilege GCP project, expect possible cloud costs, review or pin the GitHub source before running the setup script, and disable autoCapture or autoSyncFiles or set a TTL before using it with sensitive conversations or workspace files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs users to run shell commands and scripts (`bash scripts/setup.sh`, `curl`, `npm`, `gcloud`) but does not declare corresponding permissions or execution capabilities. This creates a transparency and governance gap: users or orchestration systems may treat the skill as lower risk than it actually is, even though it performs installation, cloud configuration, and service creation actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script clones a remote GitHub repository and then runs npm install and npm run build on that code, which can execute arbitrary package lifecycle scripts and build steps from an unpinned third-party source. Even if this matches the installation goal, it creates a supply-chain execution path on the local machine that could be abused if the repo or dependencies are compromised.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script uses the caller's gcloud credentials to directly provision a Vertex AI reasoning engine via an authenticated API call. While this aligns with the stated purpose of setting up memory infrastructure, it still performs cloud resource creation with billing and security implications and does so automatically rather than requiring explicit confirmation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill advertises automatic recall, automatic capture of facts after each turn, and syncing of workspace files to Vertex AI Memory Bank, but it does not present an explicit privacy warning or informed-consent step. In context, this is more dangerous because the feature is specifically designed for persistent, cross-agent, cross-session memory, meaning sensitive conversation content and local file contents could be transmitted and retained externally without the user fully understanding the scope.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs multiple side-effecting operations—authentication, API enablement, cloud provisioning, git clone, dependency installation, and build execution—without a clear upfront consent screen summarizing those actions. This increases the chance that a user will run the script without understanding that it will make network calls, spend cloud resources, and execute third-party code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal